Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2009-03-19

I just read my favorite blog post of the month, by Adam on Emergent Chaos comparing the Holy See's comments on condoms in Africa to our often-dogmatic approach to Information Security. His comments:

In information security, we often keep saying the same thing over and over again, because we know it's right. We tell people to never write down their passwords, to always validate their input, and to run IDS systems. Deep in our hearts, we know they don't, and yet we keep saying those things. We tell them they "have to" fix all the security problems all the time.

I'd like to go further, and do, in my reply to his post. At issue is our propensity to reflect all of the hardest problems in security today onto those who are least equipped or capable of handling them: end users. Nobody asks to get in the security business when they buy a computer, they want to entertain themselves, or positively contribute to some task, or fill an everyday need... yet we do. We ask everyone who buys a computer to join us in our perverse universe of paranoia. This is a lazy, improper, and unsustainable approach. If anyone is looking for the hardest problems to solve in our industry, look no further than your parents' complaints about their computer, your friends' complaints about websites, or your coworkers' complaints about corporate policy. We've left them holding the bag on the hardest problems.

My comment on Adam's post is reproduced below.

Adam,

Fascinating and apt analogy. The "blame the user" fallback has bothered me for years... and it truly is a fallback.

To follow on to your password example: Why do users write down their passwords? Because we insist they be complex, temporal, and different between systems. Why do we do this? So they're not easily guessable. Isn't, then, the authentication mechanism the problem? We have an obtuse, antiquated authentication mechanism that belies the nature of the beast using the system. We wouldn't ask a donkey to type on a keyboard - what we have built here is the psychological equivalent. We don't change it because it is hard - technologically, procedurally, institutionally - to do so. Therefore, we insist on a system poorly suited to today's computing realities, and blame the user.

As you suggest, there are many manifestations of this, passwords being but one. Microsoft's sage advice to mitigate Office vulnerabilities ("don't click on attachments from people you don't know") is yet another of my favorites. But in the end, it seems many of these situations end up shifting the burden of blame to the end user, subjugating them to our whims of what is and isn't "easy," rather than facilitating their use of the equipment and letting them focus on what their real job is.

It's going to be very, very hard for IT to break this very inviting habit...

Michael Cloppert

I write on this topic frequently... I can only hope more people begin to realize the seriousness of this problem, and that we must begin to make it a tractable one.

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.